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(54) Security in electronic fund 
transfer systems 

(57) A technique for moneyless small 
cash transactions by means of an elec- 
tronic purse device with contactless 
data transfer is described from the point 
of view of overall systems performance 
using changeable genuity test data, in 
accordance with British Patent Applica- 
tion 8028824. It is shown that a genuity 



test of the described kind must apply 
not only to the mutual testing of the 
purse or pay device and the point of 
sale terminal but also as between the 
latter and the bank computer to which 
sales point takings are to be electroni- 
cally transferred. 

Guide lines are given how attempted 
fraud can be met by using a sequential 
number incremented by one with every 
transaction and which is countercheck- 
ed by the Banks Computer. In combina- 
tion with location codes uniquely 
attached to transaction terminals, 
attempted fraudulent action would be 
rapidly discovered. 

The remote but feasible possibility of 
a person meddling with his account 
number to avoid being debited for 
purchases made, is met by a linkage 
established between said number and 
the variable test number in such a 
manner that any incongruity due to 
changed account numbers would be 
discovered at the sales terminal itself. 
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SPECIFICATION 

Hierarchic arrangement for the verification and 
renewal of security data in electronic fund transfer 
5 systems 

Our patent application BP 8028824 entitled Security 
Arrangements In Data Transfer Equipment describes 
measures for ensuring that data contained in a data 
10 storage station cannot be read out without that 
station first passing a 'question and answer' test 
which is of such a kind that stereotype - that is 
forgable - test answers cannot be given by that 
storage station. A safeguard against the possibility 
15 of a set of test numbers becoming known, for 

example through unauthorized manioulation of the 
equipment, has further been described In the above 
cited application; it consists in arrangements for 
changing the relationship between test number 
20 storage addresses and the test numbers as well as in 
procuring entirely new test numbers, at regular or 
irregular intervals of time. The description speaks of 
a cyclic change in the significance of the numbers 
which to begin with are 'active', then 'semi-retired', 
25 then vacated numbers. Vacated numbers are always 
replaced by new 'active' numbers. These test num- 
bers, originating as they would from a single 
centralized Head Quarters of a bank or a central 
Clearing Bank and transmitted from there via scram- 
30 bled dedicated data lines to the branches of banks, 
credit institutes, etc., mainly during night times, 
would be very safe from unauthorized inspection or 
interference especially if the security measures 
described hereunder are applied. 
35 Already In our patent application ser mo 8028824 a 
method of changing test numbers without loosing 
region- or natlonwise validity at transaction stations 
was described. The description was fairiy complete 
as far as the data transfer between a portable data 
40 token and a transaction station is concerned; howev- 
er, it failed to show the exact security measures that 
would ensure that only an authorized station would 
be able to change the test codes, and that the 
transfer of transaction data to another data station is 
45 dependent on the fulfillment of certain test condi- 
tions. An investigation of the overall requirement 
shows that the concept of a self-repairing security 
system that was applied in pat. appl. 8028824 for the 
data transfer between a widely distributed 'pay 
50 token' and point of sale or transaction terminals 



an associate data transaction controller unit, 'B\ 
a with 'B' associable self-contained component 'C, 
and a computer station at a bank branch, '£)', 
wherein all the named units contain reactive cou- 

70 pling links. 

D can also be an intermediate signal converter from 
which the data contents can be received/transmitted 
to a data center D by a pair of telephone lines. The 
interrogation principles applied between D and C 

75 would be analogous to thise described for the 
interrogation of A by B, or respectively B by A, 

For the better understanding of the improvements 
presented by this pesent application, the circuitry of 
Figure 2 of the cited application is here recapitulated 

80 in a block-diagrammatic form of the present Figure 
1. Figure 2 of the nrespnt annlination shows the 
methamorphosis in sufficient detail. Figure 3 gives a 
survey of the total systems structure with respect to 
the data flow therein. 

85 

Detail Description of Figure 1 

A represents the circuit of the portable data 
component as given in Detail in Figure 1 of the cited 
patent application. The inductive coupling arrange- 
90 ment using coils 2 and 3, and the electrical detail 
circuitry connected therewith is described in the 
applicants application nr. 7931208. Therefore, these 
details are not being repeated In this paper, although 
some elements are indicatively included in the 
95 diagrams. 

The associable transaction control terminal has 
corresponding coupling coils 2a for the bidirectional 
transfer of data and 3a for passing on clock pulses 
and energy to component A. A clock phase counter 

100 and decoder 8 helps to differentiate between clock 
pulses having different roles and timing; In conjunc- 
tion with a program counter 9 the data multiplex 
circuit 10 addresses and activates various portions of 
the circuit at the required times and sequences via 

1 05 internal (microelectronic) wires 

19,14,15,16,17,18,20,21,41 and 43. For example the 
synchronizing pulses comes over wire 41 which 
ensure that the program counters in A synchronize 
with program counter 9. The address or reference 

110 number which originated in token A is passed to the 
address decode unit 30 via wire 19. The selected test 
number of unit 31 , flanked by one or two 'wrong' test 
numbers, is clocked out via wire 36 and a current 
amplifier 6 into the transfer coils 2a-2 and circuit ^4. 

1 1 5 Similarly, debit data are transferred via wire 43 to the 



CD 

m 

CO 
H 

1 

r- 

> 

03 

r- 

o 

O 



T test numoers rrom tne said Clearing Center or 
Bank H Q from and to the branches. Thereby one 
arrives at a hierarchical arrangement for the passing 
on of periodically changing test data, in the context 
of an unpredictable sequence of right and wrong test 
numbers. 

In order to tHKO dccount of tiie requirements of j; 
overall secure system it became necessary to de- 
velop the circuitry of Figure 2 of the cited patent 
application in greater detail resulting in a re- 



• the resDOnse snows a ranltv answer The cirnt;;T ni/:^ 
i2u an inhibit signal on the Oscillator 7 via wire 43 and 
also produces a 'faulty' display via wire 35 on the 
display section 26. After the token has been tested 

satisfactorily the value of the token, or of the 
selected token account (see co-pending appiicatic' 
entitled 'Portable Data Carrier out and shown up m 
store/display section 22. The debit calculator 1 1 
responsive to a debit input 13 calculated the reduced 
token or account value and displays it ;n section 24. 
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1 1 directly which is fully described in the cited patent 
application 8028824. The token is of course also 
tested against general qualifying data such as a code 
for the national network within which the electronic 
5 fund transfer token has validity or personal member- 
ship etc. This comparison is carried out by circuit 
blocks 29 and 29a, and if this test is defect the 
intended transaction is rejected. 
The buffer store 34 was meant to contain the new 

10 test numbers offered for example via telephone 
connection to the terminal. However, this was by 
way of indication only; it was always clear that 
security against arbitrary insertion of test data would 
have to be high, as high as that provided for all data 

1 5 exchanges In the system. Moreover, since the data in 
memory store 31 constitute variable data it is 
necessary to ensure that the functionally associated 
circuitry cannot be bye-passed and this is best 
achieved by Integrating all the related circuits on a 

20 single substrate. This includes at the very leastthe 
automatic sequencing changer, the response eva- 
luator, the address decoder, and ail the multiplexing 
circuit elements. The transaction memory 63 should 
be fully encapsulated conjointly with the integrated 

25 circuitry. This leads to a separation of Figure 1 into 
two sections, B and C, the boundary of 'B' being 
indicated by the line a - a. This re-arrangement 
reflects in the diagram Figure 2. Here, A and B are 
now represented by reactively coupled circuit 

30 blocks. Again reactively coupled to this system is 
now section C in which 321 is the block of registers 
for the wrong and right test numbers. {Note, even 
the wrong test numbers have address-enable inputs; 
these, however, are only used when new test 

35 numbers are inserted into block 31 to replace 

'vacated' test numbers; on such occasions even the 
wrong numbers are changed at times, for good 
reasons.) 

Most of the circuit blocks can be recognized as 
40 having been contained in Figure 1 ; the multiplex 
circuitry, the program counter, and the clock phase 
decoder had to be duplicated, (10a,9a and Ba). 

For communicating with a data center such as a 
bank branch D there are built into block C two further 
45 coupling links 2d and 3d which are capable of being 
coupled with colls 2e and 3e in unit D. {In Figure 2, D' 
represents a MODEM whereby C can communicate 
with D via a pair of ordinary telephone lines). 
The OR gate 54 can accept input data either from 
50 coupling coils 2c or 2d. Similarly OR gate 58 acceps 
clock pulses either from coil 3d or 3c. Simultaneous 
inputs are inhibited bv switnhes 59 BO anri 53 

V .Ljuanv, iiucn ds accuuni i\umijer or tOKen owner , 
udnk brancn coae, aate ana deoit amount. In order to 
read out this record from storage unit 63, certain 
conditions must be fulfilled, the interrogating com- 
puter unit D will check on the qualifying data held in 
6^ store 51 which also delivers an address numberfor 
the first test number held in store 31 . Computer D 
must then generate the corresponding test number 
and transfer it to unit C where it is compared in 
exclusive OR gate 61. This is repeated for each of the 



62 latches and inhibits any further processing. This is 
a safeguard against the transactiori memory loosing 
its data through an unwarranted readout. After the 
test and readout steps are caried out there remain 

70 further program steps in the program counter; these 
may be used for providing a mark to existing active 
numbers whereby they are transferred to the class of 
semi-retired numbers; and for vacating another test 
number from the last-mentioned group to replace It 

75 by an entirely new test number. Finally, also for 
changing one or the other of the so-called 'wrong' 
test numbers so as to eliminate all familiarity 
elements from the test number structure. As al ready 
indicated, the unit 'C consists of one or more 

80 integrated circuit chips potted in a box which is fully 
sealed ailround. A rechargable battery may be 
integral within the device. 

As a rule, the unit 'C would be removable from its 
location within the chassis of unit 'B', and may be 

85 bodily taken to the trader's own bank branch for the 
purpose of transferring the information contained In 
storage segment 63 to the computer of the bank 
branch concerned in order to debit the various 
accounts of the trader's customers and to credit the 

90 account of the trader concerned. That this provides 
the opportunity for also changing the said variable 
test numbers Is an administrative matter v^ch need 
not concern the trader. yj 
The transaction list of memory 63 proviTOS space 

95 to register for each transaction the accounit number 
of the token, the debit, a transaction seqq^tial 
number, a serial number forthe location^the 
terminal, and a date. The transaction nuafiber is 
obtained from the token A and represerfs' the 
100 number of transaction carried out with pie token up 
to the moment before the next transaction. As the 
token is checked into sales terminal B |l^s number Is 
incremented by 1 and returned to the token, also 
passed on to unit C to be added to thfiftransactlon 
105 information in store 63. (. 

Figure 2 indicates two stores in the*S&les Terminal 
B, the just referred to store receiving^rom A the 
current transaction number and increasing it by 1 . 
The other store holds the permanent location num- 
110 ber identifying the location of the terminal; also 

these data are passed on to the store 63 but need not 
necessarily be repeated here for each transaction 
although further downstream, when transaction 
data are transferred to the banks' computers, they 

1 1 5 have to be added together with the time information. 
All these data are needed for a certain amount of 



r(>iirea test nuniuers Tirst aescrioed m patent appucci 
tion 8028824 may also be used to protect the 
inalterability of the account number. This would be 
done by providing in the token for two account 

registers one of which holds the true account 
' number whereas the other holds a function of the 
i;Ccount number and the test number held in the 
token. A simple case is where this function is a 
difference. Call AN the account number, TN the test 
number. The said second account store must then 

^ ^rs 1 .r_J _ ' / ' _ AM TM ;.^.-r->r'r-xo-^fi\/Dofcinn 
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When the token is checked into a point of sale 
terminal or into an updating terminal both account 
numbers are read out and their difference formed in 
an arithmetic circuit the terminal must be equal to 
5 TN. If it is not equal the comparator produces an 
output signal disabling all further operation and 
providing a visual indication such as 'defect account 
number' or 'token retained for check-up'. 
Since, as has been described in the referenced 
10 documents, the test numbers change at irregular 
intervals, also the deduced AN numbers will neces- 
sarily change as well in the course of time. A 
potential forger of the account number will find 
himself rejected, assuming he may altogether suc- 
15 ceed in incorporating a suitably multiplexed but 
nevertheless directly accessable micro-store for 
holding account numbers which he may ai wiii vary. 
Because, according to the above defined scheme, it 
would not be enough for the would-be forger to 
20 generate an account number different from his own, 
he must also enter a new AN number which is 
related to the test number held in the token. This test 
number, however, is so locked into the circuitry that 
it has no outlet for being read from the circuit. Not 
25 knowing what this number is, the would-be forger 
could thus not effectively alter the account number 
of the token. The only other approach for him would 
beto try to monitor, if that were at all possible - and 
this depends partly on the detail techniques em- 
30 ployed in the data transfer - the transfer means at 
some point. This would require elaborate apparatus 
difficult to place at a publicly accessable terminal. At 
other points these data would be completely inac- 
cessable. Nor could any person be asked what the 
35 test numbers are at a given time since, they are 
electronically random-selected at the Head Quarter 
computer of the Clearing House. They are transmit- 
ted in scrambled form to Banks and Branches all 
over the country at unpredictable dates and times 
40 and occupy the system lines for only an infinitesimal 
portion of the operating times. The token terminals 
at Banks would not permit meddling with them and 
would incorporate precautions against Information 
tapping and the opportunities for doing unusual 
45 things unobserved would be rare. Whereas one can 
never exclude one occasion when all the circumst- 
ances happen to further an unobserved fraudulent 
attempt at discovering the test number, the likeli- 
hood that this can be repeated, say week by week, is 
50 non-existent. The risk for being observed and 
apprehended would be the greater as bank compi! 



ches 'D' of the various banks via dedicated scram- 
bled data lines. The local bank branches, post offices 
(giro) and credit card agencies pass on any new test 
numbers to the cumulative transaction box 'C when 

70 checked in physically at their respective terminals or, 
via phone lines t. When the box 'C - as would 
normally be the case- forms part of the point of sale 
terminal S it passes on to the individual tokens T 
when presented to S the new test numbers con- 

75 cerned. While, in theory, it might be possible to tap 
the new test signal while it is being transmitted to a 
data token it is well within the scope of the art to 
place great obstacles into the path of a person 
wishing to do that at a public terminal with fraudu- 

80 lent intent. 

Summary, a novel cashless value transfer system 
is described which permits the use of permanent 
electronic tokens while maintaining a high standard 
of security and versatility. The procurement cost of 

85 the equipment would be distributed over several 
agencies. The tokens, being permanent, would be 
issued to the public against registration and an 
annual membership fee from which the cost of 
supply and administration can readily be covered. 

90 The box C would be purchased by the individual 
trading firms. Banks would purchase terminals and 
hire them out to traders. Dedicated data lines for the 
transmission of inter-bank data already exist, or 
would shortly exist; they would be only lightly 

95 loaded by the proposed system. 

CLAIMS: 

1 . An electronic fund transfer and data protection 
100 system comprising 

(A) portable data carriers 

(B) transaction terminals 

(C) a self-contained portable storage unit for 
storing security test numbers and a list of transac- 

1 05 tion events data obtained from said transaction 
terminal 

(D) a computer unit with data storage space for 
receiving transaction event data from units 'C and 
for imparting new test numbers to said units 'C 

110 (F) one originating station where security test 
numbers are defined and electrically passed on to 
computer units 'DVia dedicated communication 
lines 

2. An electronic fund transfer and data protection 
115 system wherein units A, B, C and D have each 



. ■ : ■ .. ; -.-tjeji iiieuu: ,iU-jUi: 

►■^'■>ce. even 't "i: p333;o;c; yci, tre SyStciii u' votiduu., 
test numbers would make it necessary to monitor 
them continually. 

In summary, with the aid of the variable test 
numbers technique a forge attempt directed at thr- 
ciccount nur^be" of the nay toker, can instartlv b*- 
refuted and the intended sale is stopped. 

Figure 3 shows how new test numbers which 
originate at a National Bank Headquarters or a 



,.!ru(K'ates a siore ror several test nu^noers, aru: 
. tfidt one Of these is seiectea by means of a reference 
address which is transmitted by unit 'A' when 
associated with unit 'B' via B to unit 'C whereupon 
the selected test number together with "wrong" test 
data 's transmitted back to unit A via unit B. 
;': i. An electronic fund and data protection syste'-'" 
as in Claims 1 and 3 in which unit 'A' receives the 
combination of right and wrong tests signals and 
transmits to unit 'C via unit 'B' its evaluation signals 

r^f caiH toct cinnalc \ft/horc>i rnnn (init 'C PYPminP5? said 
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an output voltage which inhibits further processing if 
the evaluation by unit 'A' proves to be defect, 

5. An eiectronic fund and data transfer and 
protection system as in Claim 1 characterized in that 

5 the unit 'C has two separate input/output reactive 
coupling links that portions of its circuitry can be 
accessed via either of these links, that is to say, 
either by transaction terminal 'B', or by Computer 
Terminal 'D' via auxiliary Modem D', but not by both 
10 units simultaneously. 

6. An electronic fund transfer and data protection 
system as in Claim 5 wherein inhibit gates are 
provided to prevent simultaneous coupling of unit 
'C 

15 7. An electronic fund transfer and data protection 
system as in Claim 1 wherein unit 'C has a storage 
register for storing test number address data, and 
niedfis for transmitting these data to a computer 
installation 'D', storage means In the computer D to 

20 store test numbers and addressing means to select 
one of these numbers for readout by an interrogat- 
ing station, means in the unit 'C for receiving and 
comparing such a selected test number with that 
stored in its said storage register, and means to stop 

25 the communication link with the computer if said 
comparison is defect. 

8. An electronic fund transfer and data protection 
system as in Claim 7 wherein the data transfer 
program in unit 'C permits the readout and subse- 

30 quent testing of all the test numbers held In its 
memory against corresponding test numbers held 
by the computer unit and produced in response to 
consecutively transmitted addresses sent out by unit 
'C, and means in the unit 'C circuitry to stop the 

35 communication link with the computer if any one of 
the comparison tests fails. 

9. An eiectronic fund transfer and data protection 
system as in Claim 1 characterized by means in the 
computer D for receiving intructions via dedicated 

40 data communication networks for earmarking cur- 
rently 'active' test numbers as 'semi-retired' test 
numbers, and of ear-marking currently 'semi-retired' 
test numbers as replaceable by new test numbers, 
furthermore means in the computer D for receiving 

45 and storing new test numbers, means for encoding a 
semi-retired number and for transmitting said code 
or flag to unit 'C within the time-multiplex plan of its 
program cycle, and means for displacing a retired 
number in unit V storge space and for replacing it 

50 by said new test number. 

10. An electronic fund transfer and data protect- 
ion svstem as in Claim 9 the computer unit D hpfrr 



,u ir;f^ii.;it riieanb a: ine circuit ot uiml 
vj v'jiitii ty &atu reauoul if tne computer response lu 
the test number addresses sent out by unit 'C 
proved to have been defect. 

11. An electronic fund transfer and data protec- 
tion system as in Claim 10, in which said transactinr- 
■ist store contained in unit 'C consists of a tape deck 
with stepping motor and that said motor is powered 
by inductive coupling to data controlled stepping 
pulses, and which stepping pulses pass through an 



of unit 'C 

1 2. An electronic fund transfer and datg protec- 
tion system as in claims 1 to 11, wherein the major 
part of the circuits of unit 'C constitute large-scale 

70 integrated circuits incorporated in an externally 
smooth and contactless, readily transportable tablet. 

13. An electronic fund transfer and data protec- 
tion system as in claims 1 - 12 wherein the portable 
data carrier 'A' contains a store for holding a 

75 sequential number which is transferred to the circuit 
of the transaction terminal 'B' where it is in- 
cremented by a number X and returned to the data 
token at a predetermined time slot of the transaction 
cycle. 

80 14. An electronic data transfer system as in claim 
13, wherein provisions are made in the self- 
contained portable storage unit 'C for storing the 
said transaction number as an adjunct to the particu- 
lars of each transaction within the transaction list 

85 memory in order to pass it on to the bank computers. 

15. An electronic data transfer and data protec- 
tion system as in claims 13 and 14, wherein the bank 
computers are programmed to compare the transac- 
tion numbers of consecutive transactions of the 

90 same account number and to reject any particular 
transaction if the discrepancy exceeds a preset 
amount and to initiate a printout of the transaction 
details for further action by staff as required. 

16. An electronic data transfer and fund protec- 
95 tion system wherein the terminal 'B', of the portable 

storage unit 'C contains a location code by which its 
installed location is recognizable, and means in the 
Banks' computers to attach this code to the transac- 
tion details for each individual fund transfer. 

100 17. An electronic fund transfer and data protec- 
tion system in accordance with the principles of 
variable test numbers described in British Patent 
Application 8028824 in which the portable data 
carrier contains two further registers to hold in on 

1 05 register a true account number and in the other 

register a derived account number, the latter being a 
function of said true account number and active test 
number held in the test number register of the said 
data carrier, and means for reading out from said 

1 1 0 data carrier both the true and the derived account 
numbers and the address code for addressing the 
corresponding test number register in the transac- 
tion terminal. 

18.An electronic fund transfer and data protection 

115 system in accordance with Claim 1-16, and 17, the 
improvement consisting of the provision of proces- 



uortaDie oata earner, generate a Tunction or tne 
interaction of the true account number and the duly 
addressed testnumber, comparator means to com- 
pare the number resulting from said interaction with 

the derived account number received from the 
portable data car^:er. and if identity is not establish 
[jV said comparator, the transaction is disablea and 
displayed as rejected. 
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